Closed
Description
Function pi_next_pcrl, pi_next_cprl and pi_next_rpcl have the division-by-zero vulnerabilities in src/lib/openjp3d/pi.c.
static bool pi_next_pcrl(opj_pi_iterator_t * pi)
{
...
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
(trx0 << levelnox) % (1 << rpx)))) {
continue;
}
if ((!(pi->y % (comp->dy << rpy) == 0) || (pi->y == pi->ty0 &&
(try0 << levelnoy) % (1 << rpx)))) {
continue;
}
if ((!(pi->z % (comp->dz << rpz) == 0) || (pi->z == pi->tz0 &&
(trz0 << levelnoz) % (1 << rpx)))) {
continue;
}
...
}
static bool pi_next_rpcl(opj_pi_iterator_t * pi)
{
...
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
(trx0 << levelnox) % (1 << rpx)))) {
continue;
}
if ((!(pi->y % (comp->dy << rpy) == 0) || (pi->y == pi->ty0 &&
(try0 << levelnoy) % (1 << rpx)))) {
continue;
}
if ((!(pi->z % (comp->dz << rpz) == 0) || (pi->z == pi->tz0 &&
(trz0 << levelnoz) % (1 << rpx)))) {
continue;
}
...
}
static bool pi_next_cprl(opj_pi_iterator_t * pi)
{
...
if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
(trx0 << levelnox) % (1 << rpx)))) {
continue;
}
if ((!(pi->y % (comp->dy << rpy) == 0) || (pi->y == pi->ty0 &&
(try0 << levelnoy) % (1 << rpx)))) {
continue;
}
if ((!(pi->z % (comp->dz << rpz) == 0) || (pi->z == pi->tz0 &&
(trz0 << levelnoz) % (1 << rpx)))) {
continue;
}
...
}
This issue is same with #731, #732, #777, #778, #779, #780.
And the patch should be like the patch for #731 and so on.
+ /* To avoid divisions by zero / undefined behaviour on shift */
+ /* in below tests */
+ if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
+ rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) {
+ continue;
+ }
+
Metadata
Metadata
Assignees
Labels
No labels